BIND and Windows DNS logging and archiving

Mick Lee lmick5455 at gmail.com
Wed May 9 15:19:14 UTC 2018 

Just realized I forgot to include a link:

https://www.nospaceships.com/products/dns-logger.html

Mick

On Wed, Apr 11, 2018 at 10:37 PM, Mick Lee <lmick5455 at gmail.com> wrote:

> Hi All,
>
> Sometime ago I posted about capturing DNS activity (queries and responses)
> for both BIND and Windows DNS, and my colleague had a tool which he ported
> to Windows for me.  This tool is called dns-logger.
>
> His company NoSpaceships, has just released the dns-logger product,
> available free for anyone to use.
>
> It currently supports JSON and ISC BIND formatted Syslog based messages
> (and also includes responses).  They have indicated they look to support
> dnstap as an output format too (useful if you are not running BIND).
>
> This may be a little off-topic, but I thought I would post anyway since I
> am finding it quite useful.
>
> Hopefully someone will find this useful.
>
> Mick
>
> On Tue, Aug 15, 2017 at 5:29 PM, Mick Lee <lmick5455 at gmail.com> wrote:
>
>> Forgot to CC the list.
>>
>> ---------- Forwarded message ----------
>> From: Mick Lee <lmick5455 at gmail.com>
>> Date: Sat, Aug 12, 2017 at 6:55 PM
>> Subject: Re: BIND and Windows DNS logging and archiving
>> To: Phil Mayers <p.mayers at imperial.ac.uk>
>>
>>
>> Thanks,
>>
>> I checked and it doesn't look like dnscap would work with little change
>> :(  Anyway, my colleague has now implemented a similar tool called
>> dns-activity-logger.
>>
>> I mention it here since it does DNS response logging, specifically for IP
>> addresses.  You get output similar to BIND query logging for responses too:
>>
>> # Response logging is like query logging, but you get rcode, ans-count,
>> auth-count, add-count and a space separated list of IP's from the answer
>> section if any
>> Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client
>> 192.168.1.13#61835: query: www.apple.com IN A + (192.168.1.200)
>> Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client
>> 192.168.1.200#61285: query: www.apple.com IN A + (192.168.1.1)
>> Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client
>> 192.168.1.200#61285: response: www.apple.com IN A + (192.168.1.1)
>> NOERROR 4 0 1: 23.198.68.189
>> Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client
>> 192.168.1.13#61835: response: www.apple.com IN A + (192.168.1.200)
>> NOERROR 4 0 0: 23.198.68.189
>>
>> It streams Syslog messages out in real-time over TCP, supports
>> auto-failover in case one Syslog server goes down, and buffers in memory so
>> doesn't require any disk I/O.
>>
>> My initial use case was Windows, but after seeing the response logging I
>> think I will disable BIND query logging and just use this.
>>
>> He's willing to make it available to the general public if there is any
>> interest.
>>
>> Cheers
>>
>> Mick
>>
>> On Sun, Jul 23, 2017 at 5:15 PM, Phil Mayers <p.mayers at imperial.ac.uk>
>> wrote:
>>
>>> On 23/07/2017 15:16, Mick Lee wrote:
>>>
>>> I have a colleague who has said he has a parts of a PCAP to BIND query
>>>> log agent that runs on UNIX platforms, and he is happy to port that to
>>>> Windows for me - he's actually working on it now (for a few beers :) ).
>>>>
>>>
>>> dnscap basically does the same thing. No idea how easy it would be to
>>> run under Windows.
>>>
>>> Absent changes to the resolving setup, I think that a capture/tap is
>>> probably your only realistic option.
>>>
>>> Depending on your architecture (physical, virtual, topology) the tap
>>> could live on another box, if all you need is to know that server A made a
>>> query for badzone B.
>>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180509/640abc4d/attachment.html>

More information about the bind-users mailing list